danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2024-11-26 20:34:47 +01:00
Code Issues Projects Releases Wiki Activity

Advertise SARIF export in the documentation (#4633)

Browse Source
This commit is contained in:
Lukas Reschke 2020-11-19 23:48:57 +01:00 committed by Daniil Gentili
parent 2ad5eee193
commit 3fb73564f6
Signed by: danog
GPG Key ID: 8C1BE3B34B230CA7
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/security_analysis/index.md
View File

@ -53,3 +53,23 @@ Nobody likes to wade through a ton of false-positives [heres a guide to a
Since taint analysis is performed separately from other static code analysis, it makes sense to use a separate baseline for it.
You can use --use-baseline=PATH option to set a different baseline for taint analysis.
## Viewing Results in a User Interface
Psalm supports the [SARIF](http://docs.oasis-open.org/sarif/sarif/v2.0/csprd01/sarif-v2.0-csprd01.html) standard for exchanging static analysis results. This enables you to view the results in any SARIF compatible software, including the taint flow.
### GitHub Code Scanning
[GitHub code scanning](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) can be set up by using the [Psalm GitHub Action](https://github.com/marketplace/actions/psalm-static-analysis-for-php).
Alternatively, the generated SARIF file can be manually uploaded as described in [the GitHub documentation](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github).
The results will then be avaible in the "Security" tab of your repository.
### Other SARIF compatible software
To generate a SARIF report run Psalm with the `--report` flag and a `.sarif` extension. For example:
```bash
psalm --report=results.sarif
```